@Info.Policy: What's hidden in that document you posted?

By Robert Gellman

Nov 19, 2003

Robert Gellman

How careful are you about placing agency documents on the Web? A casual posting can include unseen changes, comments or other elements not intended for public consumption. Here are a couple of embarrassing examples.

The first comes courtesy of British Prime Minister Tony Blair. Earlier this year, Blair's office posted a dossier on Iraq's security and intelligence organizations. U.S. Secretary of State Colin Powell cited it in an address to the United Nations.

Turns out, much of the material came from work by a U.S. researcher, and a British academic exposed the source. That was bad, but there was more.

The United Kingdom published the dossier online as a Microsoft Word file. Richard Smith, an American Internet security expert, found a hidden revision log about the last 10 edits.

Smith wrote a program to extract and display the log and other hidden information in the Word files, leading to additional disclosures about the document's history and the people who changed it.

Smith has advised using Adobe Portable Document Format to make online documents unalterable. But if the Justice Department was paying attention to Smith's advice, it learned the wrong lesson.

A few years ago, the department commissioned a study on the racial and gender diversity of its attorneys. Justice held up the report's release until it was eventually obliged to disclose portions under the Freedom of Information Act. The public version, posted in PDF, was extensively redacted.

Russ Kick of the Memory Hole Web site, at www.thememoryhole.org, downloaded the public document and found that he could easily recover the full text from the redacted portions. Kick promptly posted the complete version for all to see. View it by going to www.gcn.com and entering 173 in the GCN.com/search box. That was a double embarrassment for the department.

First, it exposed technical incompetence. Whoever made the redaction mistakes is a candidate for firing. The same mistakes elsewhere could undermine privacy, national security or a prosecution.

Second, with the full text visible, the department's heavy-handed exemption claims became clear. An awful lot of material was deleted that did not qualify for withholding.

Of course, Justice mostly withheld anything that was embarrassing, using one pretext or another.

If the department's FOIA office had any credibility left'and it doesn't in my book'this incident washed it away.

The point here is simple. Before posting a document on the Internet, make triply sure that it contains only elements that are supposed to become public. The same thing applies if you are passing around a document to others internally or leaking it. The hidden entrails might be found someday by an energetic reader, and you are not likely to be pleased.

Robert Gellman is a Washington privacy and information policy consultant. E-mail him at rgellman@netacc.net.